Gmail addresses, website passwords leaked online

Almost five million Gmail addresses were posted on a Russian bitcoin forum along with passwords culled from various websites on Tuesday. The leak is believed to have been the result of years of phishing efforts and not a Gmail security breach. Email addresses from thousands of Russian email accounts were also leaked. (Google/Handout/Reuters)

A list of almost five million Gmail addresses and passwords culled from various websites was posted on a Russian online forum Tuesday.

Mashable and other technology news websites reported that the leaked passwords are not necessarily those used to access Gmail accounts but seem to have been compiled from other websites, including some where Gmail addresses were used to register.

Several internet security experts who examined the leaked list, which was posted as a text file to the Russian online forum Bitcoin Security, reported on Twitter that the passwords appear to be several years old.

Danish cybercrime specialist Peter Kruse of the CSIS Security Group tweeted that the leak "likely originates from various sources" and that most of the leaked passwords are more than three years old.

#Gmail#leak of 5 million accounts confirmed legit. They likely originates from various sources. Most passwords more than 3 years old.

'We've protected the affected accounts and have required those users to reset their passwords.'- Google Online Security Blog

Google, which operates the Gmail email service, said in a post on its Online Security Blog that less than two per cent of the username and password combinations posted online "might have worked."

"Our automated anti-hijacking systems would have blocked many of those login attempts." the post said.

"We've protected the affected accounts and have required those users to reset their passwords."

Google said the leak was one of several so-called credential dumps — the posting of lists of usernames and passwords online — that the company spotted this week.

The leak was first publicized in Russian online forums and media, including the popular technology website CNews, early Wednesday and then on a Reddit discussion forum.

Not a security breach, says Google

The leak does not appear to have been the result of a Gmail security vulnerability, and not all of the leaked email addresses were Gmail addresses — although the bulk were.

"It's important to note that in this case and in others, the leaked usernames and passwords were not the result of a breach of Google systems," Google said in its blog post. "Often, these credentials are obtained through a combination of other sources. For instance, if you reuse the same username and password across websites, and one of those websites gets hacked, your credentials could be used to log into the others. Or attackers can use malware or phishing schemes to capture login credentials."

Software specialist Troy Hunt tweeted that about 123,000 of the approximately 4.78 million leaked addresses were part of the Russian email service Yandex. Addresses from the Russian-based service Mail.ru also appeared on the list.

Hunt runs the website Have I been pwned? which allows user to verify whether their data has been compromised through a breach and was in the process of importing the leaked list Wednesday afternoon in order to make the data searchable.

Those worried about the leak can also use the Russian site Is Leaked? to verify whether their Gmail addresses are on the list.

Several security experts said Tuesday's leak was a reminder to internet users to use a two-step verification system when signing into Google services, change passwords frequently and not use the same password across websites and services.

The technology website The Daily Dot reported that Google and Yandex told CNews that the leak was likely the result of years of phishing and hacking efforts but that those did not compromise the companies' databases.

To encourage thoughtful and respectful conversations, first and last names will appear with each submission to CBC/Radio-Canada's online communities (except in children and youth-oriented communities). Pseudonyms will no longer be permitted.

By submitting a comment, you accept that CBC has the right to reproduce and publish that comment in whole or in part, in any manner CBC chooses. Please note that CBC does not endorse the opinions expressed in comments. Comments on this story are moderated according to our Submission Guidelines. Comments are welcome while open. We reserve the right to close comments at any time.

Note: The CBC does not necessarily endorse any of the views posted. By submitting your comments, you acknowledge that CBC has the right to reproduce, broadcast and publicize those comments or any part thereof in any manner whatsoever. Please note that comments are moderated and published according to our submission guidelines.